Transaction Laundering – a Growing Threat in the Payments Industry

WHITE PAPER

TRANSACTION LAUNDERING – A GROWING THREAT IN THE PAYMENTS INDUSTRY

Abstract Nientibus et harum la aliquos que dunt harunte nat qui assimin ctincti nimoloratur? Quis sin enim expello rescitis aliberiosam, sumendu cienimil es ab in pelibus antiunt, eatur sit volorec tetur, occus asi suntiss imporer eperis dolupta que quid quatis mo volorit quas maio. Im acest, eos si beat. Ur? Nonseque reribus. Itatium re, nissi nullupietur audis sit adis con non corrum fugias eosae nones nonsenimus Itate esto moluptatur autatis sinctota dolent labo. Sum autem reriossum eos acerestectur rem que et haribus vel etur What is transaction laundering? Transaction laundering is an activity through which entities, unknown to a merchant acquirer, process their payments through the facilities provided by the acquirer to a known merchant. It is a criminal activity which violates the agreement that the merchant had with its acquirer.

The method of using legitimate websites as a front is being used by criminals to conduct illegal activities, such as sale of counterfeit products, drugs and weapons trade, illegal pharmaceuticals, illicit pornography, unlicensed gambling, money laundering, and terrorism financing.

It creates a situation where Merchant Service Providers (MSP – a collection of banks, acquirers, and payment processors) unknowingly become party to illegal activities and facilitate money laundering. This not only damages their reputation, but also makes them vulnerable to excessive chargebacks, legal actions, and regulatory penalties.

Transaction laundering is sometimes referred to as ‘unauthorized aggregation’ or ‘undisclosed aggregation’ or ‘factoring’. This is because of the way illegal payments from one or more unknown sites are aggregated to be processed through a single legal merchant account. However, “aggregation” is a legitimate payments model using which small and medium businesses rely upon payment aggregators to take credit and debit card payments from their customers. Thus the term ‘transaction laundering’ became popular which indicates that the payment transaction itself is altered to launder money.

The ultimate penalty is borne by the acquiring bank of a merchant indulging in transaction laundering, either knowingly or unknowingly. Regulations require the MSP to verify the legal identity of their customers and identify the Ultimate Beneficial Owner (UBO) of that entity. However, traditional Know Your Customer (KYC) still focuses on physical aspects of the legal entity as opposed to the digital aspects, making the payments area extremely vulnerable to transaction laundering.

External Document © 2018 Infosys Limited How big is this threat? which about three percent are involved in in Paris in 2015 was aided by transaction illegal activities. laundering. According to EverCompliant, which is a According to a research by pymnts.com, solution provider in this space, US$155 G2, another solution provider who has been monitoring merchant content for more than 25 percent of terminated billion was generated from online sales the last 11 years, has found out that an accounts come back into the payment via transaction laundering in 2016 in average of 1.5 percent of a client’s portfolio system in a disguised manner with nearly no the USA alone. In addition, banks are contains illegal or unknown websites. change in their operations. About 50 percent processing about six percent to ten percent of websites involved in unlawful activities do of unauthorized e-commerce sites, out of In fact, the Charlie Hebdo terrorist attack not register for merchant accounts.

Why is transaction laundering difficult to detect? Although this method of money laundering may seem simple, it is not very easy to detect through traditional means due to the following reasons:

1. Complexity of the payments chain: There can be several combinations of a payment cycle involving the shopping cart, payment gateway, payment processor, and bank where the payment may go through multiple gateways or payment processors. Hence, it is very difficult to differentiate legitimate transactions from the illegitimate ones

2. Inability to safeguard websites: Some merchants may not realize that their websites are being used for illegal transactions either through their affiliate programs or simply by using their website as a shadow site

3. Numerous unreported websites: Transaction violations maybe done through hidden websites that the bank may not know and therefore may not monitor. Traditional monitoring methods do not catch unreported websites

4. Growing use of corporate credit cards in business to business (B2B) payments: It has seen a growth of 25 percent till 2016 and is expected to grow at least at a rate of 10 percent y-o-y till 2018. Some of these corporate credit cards offer attractive cash backs making it a more preferred option over Automated Clearing House (ACH). Therefore, it is now common to have a large payment (running into thousands of dollars) being done via a single transaction, making it difficult to single out malicious transactions.

In recent times, the threat of transaction e-merchants and payment facilitators 2. Factors that do not deter enough: laundering has increased due to two which provide a good degree of a. Fraudsters are finding it difficult to launder primary reasons – i) rapid increase in anonymity money through traditional means (cash, mechanisms that aid in this activity, and c. Banks have outsourced the high-cost wires, ACH) given the sophisticated and ii) the checks to detect them are unable to customer and merchant acquisition mature monitoring systems that exist keep pace. to payment service providers and for such payment methods. However for credit cards, the focus has typically been 1. Factors that aid transaction facilitators, who do not have the same degree of risk management and on frauds as opposed to money laundering laundering: monitoring capabilities b. Current regulations are attuned largely to a. Creating a professional-looking d. There has been a sudden surge in lines of business such as banking, capital website to sell goods along with alternate payment methods, such as markets, and insurance or products such as a checkout page and credit card digital wallets, payment processors, wires, cash deposits, and securities trading. profile has become very easy and payment gateways, which do not Payments and ‘card not present’ credit enabling criminals to create an online have a very good monitoring solution, card transactions are the blind spots in the marketplace swiftly. Criminals do not giving a fraudster newer avenues to world of anti-money laundering (AML) have to create actual brick-and-mortar launder money c. Merchant acquirers are not governed by storefronts to launder money. Thus, e. It has become an attractive avenue to the same level of Bank Secrecy Act (BSA) all three steps of money laundering – generate additional revenue, either / AML requirements as those of banks. placement, layering, and integration through abuse of affiliate programs or They focus on monitoring transactions can be done digitally by being complicit to the crime along for chargebacks only, instead of money b. There has been a substantial growth in with a launderer laundering

Transaction laundering can be done in various ways and its typical growth trend is given in Exhibit 1.

Scope of traditional monitoring systems 4 Combination of traditional laundering and complicit merchants Illicit money gets legally transferred to criminal’s account 1 Malicious competitor either within or outside country

Framing: Harvest merchant Have legitimate cash- credentials and use that to Payment Service Encash money from Acquiring Bank intensive merchant buy perform malicious operations Provider prepaid card into fictitious product from criminal’s account via ACH complicit online merchant Disclosed aggregation merchant Transaction laundering (Online) Funnel Account: Illegal

business related credit card Collude with legitimate Buy prepaid card from Smurfing charges funneled as legitimate cash-intensive firms legitimate merchant Laundering without without the Laundering knowledge merchant’s Traditional (In-person) Registered Affiliate

Merchant-based money laundering Sell drugs/illegal items for Affiliate Fraud: Use harvested cash or via earlier methods credit card credentials to make Registered Merchant purchases and earn “points” Traditional & Transaction laundering (In-person & Online)

Non-registered Criminal owned merchants registered merchant Pass-through: Forcibly embed Front business (direct): merchant payment link in Directly selling illegal item in illegal website disguise via registered site 2 3 Criminal owned Owning the merchant business and Laundering with the Undisclosed Undisclosed merchant using it as a “front” merchant’s knowledge aggregation merchant Corrupt merchant: Partner with Front business (indirect): Several other functionally and visually corrupt merchants who allow use Unauthorized website selling similar websites were created with of their payment accounts for illegal items using registered different acquiring banks and PSPs illegal sales, for a fee merchant account

Exhibit 1: The evolution of transaction laundering

External Document © 2018 Infosys Limited 1. Merchant is unaware 2. Merchant is aware and i. Front business (direct): This is where complicit the ‘front’ business can openly sell a. Framing: A company / entity illegal substances using a masked with malicious intent creates an a. Pass-through company: A company name through the website. For illegal website and reports it to with legitimate business is forced example, a food ingredient company a card network to provoke a test to take on an illegitimate entity to selling banned drugs via a masked operation. When this transaction is use its account. This malicious entity name through its website. executed, the entity harvests the embeds the legitimate merchant’s credentials and uses this to place an payment link on its website using it ii. Front business (indirect): This is order from its competitor’s site, thus to accept payments against sale of where the syndicate creates a ‘framing’ the innocent merchant. illegitimate goods. They may often shadow site selling illegal items give a certain percentage cut of the using the license provided for the b. Funnel account: The legitimate processed amount to the legitimate legal ‘front’ business. For instance, a merchant accepts credit card merchant. charges from another company that pharmacy in the UK obtained license to sell legitimate drugs online does not have merchant processing b. Corrupt merchant: There could also accounts (regular aggregation). be merchants with real businesses and displayed the government- However, this company may be such as phone accessories, but have authorized EU common logo to indulging in illegal business. These partnered with an organization to depict authenticity. It did not allow credit card charges are funneled process illegal transaction to earn foreign orders to be processed since into the payment processing extra revenue. it had only UK license and also did engines as legitimate. not allow prescription drugs to be c. Affiliate fraud: An affiliate of a 3. Merchant owned by a sold without valid prescription from legitimate merchant may use the criminal syndicate an in-person medical evaluation. site to make fictitious or non- A criminal syndicate can open various real However, it also created a shadow fictitious purchases using harvested businesses (often innocent and low-risk website that sold prescription drugs credit card credentials and earn such as clothing store and a toy store) to without prescription and allowed affiliate commission points. act as a ‘front’ to launder illegal substances. such drugs to be shipped outside

External Document © 2018 Infosys Limited UK, using the same merchant transactions / shipments). For not actually ship anything at all, given account to process customer example, the drug mafia in Mexico that the purpose of the transaction payments. The EU common logo actually provides a “line of credit” was to transfer the illicit money and is displayed on both the real and to wholesale buyers in the US. not for any real business need. These wholesale dealers then sell shadow websites which tells the b. Prepaid gift card ‘smurfing’ payment providers, e-commerce drugs using any of the mentioned This method is known to have been platforms, other intermediaries, and methods or via direct cash used by terror groups to fund their patients that both websites are legal. transactions. The revenue generated operations (for example, the Paris is then sent back to Mexico via attack in November 2015). In this another transaction laundering 4. Combination of traditional method, a criminal syndicate can method called merchant-based laundering and complicit employ some people (smurfs) to merchants money laundering. purchase low value prepaid gift In all the above examples, the laundering The crime syndicate ties up with cards from different stores (retailer) activity is largely happening online. cash-intensive businesses such as and then load these cards with low sums of money every day, making However, in recent times, unsuspicious supermarket, vending machine sure that each card is loaded after activities through brick-and-mortar stores operators, convenience stores, a requisite gap in time. In this way, combined with transaction laundering restaurants, private ATMs, cigarette illicit money gets loaded into prepaid done via complicit merchants have made distributors, liquor stores, parking gift cards which is then legalized this activity extremely difficult to detect. garages, and others. They either by transferring this money to a This seems to be the preferred method of collude or coerce the cash-intensive bank account via ACH. The ‘smurfs’ cross-border crimes. businesses to mingle the illegitimate are careful to deal with amounts cash with their legitimate cash for below the Continuous Transaction a. Merchant-based money laundering a fee. The cash-intensive business Reporting (CTR) threshold of [Transnational Organized Crime is then instructed to make regular US$10,000. (TOC)] purchases from specific merchants Normally, the retailer does not ask Merchant-based money laundering in Mexico on a regular basis, via for documentation from people who is a process where goods / services which the illegitimate money gets purchase or load prepaid cards with being paid are either under-valued transferred across the border. The amounts equal to or lower than $500 or not present at all (phantom Mexican merchant, on its part, may in the US and GBP 250 in the UK.

External Document © 2018 Infosys Limited The regulatory view of trying to balance rules around this, with non-anonymous, non-reloadable under transaction laundering political, economic, and logistical hurdles. EUR150 prepaid cards) and transparency around beneficial ownership of • In the US, transaction laundering comes • The European Union has already passed companies and trusts. under the ambit of Financial Crimes the 4th AML Directive (AMLD) and the Enforcement Network (FinCEN), Federal 5th AMLD is in the process. Europe has However, one thing that all the regulations Financial Institutions Examination put in measures around performing lack is a clear focus on how to implement Council (FFIEC), and Consumer Financial transaction and business relationship these increased directives and rules. The Protection Bureau (CFPB) where they see monitoring even for simplified Customer regulations put more focus on unusual, transaction laundering as a variation of Due Diligence (CDD) cases, extending the complex transactions with no apparent the AML themes. One aspect that FinCEN scope of AMLD to virtual currencies and purpose or transactions involving high-risk is struggling with is the way to frame rules wallet providers. Standard or enhanced countries. However, transaction laundering for cross-border prepaid card smurfing. CDD to be performed on e-money happens in transactions that do not appear Today, open-loop prepaid cards are not products (prepaid cards) regardless of the to be unusual or unlawful at first sight. subjected to the cross-border reporting amount and whether they are reloadable Hence, the regulatory bodies also need to requirement of US$10,000. The agency is (simplified CDD to be done only for do more to counter this threat.

External Document © 2018 Infosys Limited What can MSPs do better? c. Are the items being purchased in 5. Typically, third party payment line with the merchant’s regular line processors and merchant acquirers are 1. Banks tend to categorize business of of business? Example: Is a fruit seller not subject to formal AML regulations. their customers as high risk or low risk trying to sell high-end electronics? They should, however, start monitoring and base their monitoring activities on transactions from a money laundering this customer risk score. However, very d. Is there any hard evidence that perspective. Acquiring (sponsor) banks low-risk businesses can actually be fronts although the payment was made, the should consider providing transaction for transaction laundering. Therefore for item was indeed shipped? laundering tools to their sponsored detecting transaction laundering, non- 4. Acquirers can take additional steps Independent Sales Organizations (ISOs). traditional methods of monitoring and during the underwriting process to investigation are required. identify merchants who are indulging 6. The merchant acquirer can run analytics on the type of merchants they have 2. There needs to be a way by which in or are likely to indulge in transaction and the average credit card processing banks can monitor the cash deposits laundering. volumes per month for each. They can of a business along with its credit card a. Perform advanced due diligence on see if there are certain outlier merchants activity with inputs from the merchant merchant website such as vetting whose prepaid card processing volumes acquirer to be able to create a full picture backlinks to the site and identifying are higher than the rest in the same of potential money laundering. websites that use the same server category. or have common ownership to the 3. Focus on AML on credit cards rather than merchant applicant 7. While the merchant / retailer the fraud on credit cards alone. Just as themselves do not have rules to collect there are red flags for credit card fraud, b. Carry out click origination identification information of people there needs to be red flags for money investigations and behavioral who transact in lower sums of money laundering using credit card. Some monitoring across the entire merchant examples could be: portfolio on a prepaid card, there can be a system c. Impart training to all departments built and used where amount of money a. In terms of amount, customers or in the organization (such as sales, being loaded in a prepaid card is added items, is the transaction in alignment chargeback, processing, etc.) and tracked. The destination accounts with historical transactions? d. Perform site visits, examine merchant where the money on this card is used b. Is the merchant procuring items balance sheets and profit and loss can also be tracked, so as to build a internationally when they are available (P&L), seek testimonials, and conduct network of the way money travels on a locally? If so then why? surveys given prepaid card.

External Document © 2018 Infosys Limited What are the solutions databases and human investigation. inspect transactions conducted on available in the market today? There are a few vendors with transaction suspicious-looking websites (a database laundering solutions. Largely, their that is built over time) and then try to By and large, combatting transaction solutions revolve around merchant link it back to the merchant acquirer laundering will require a combination website profiling and searching for which processed the transaction. Some of merchant and transaction profiling certain characteristics and perform of the products in the market are shown solutions combined with criminal behavioral analytics. They could also in the Exhibit 2 below.

WEBSITE & CYBER ANALYTICS BASED

EverCompliant “Merchant View” – It is a solution to detect and prevent transaction and money launderers, hidden transaction tunnels and merchant fraud from entering the ecommerce ecosystem by leveraging cyber intelligence. In BEHAVIORAL ANALYTICS BASED 2016, they added an additional capability in MerchantView. The new platform is now able to detect hidden mobile apps and fraudulent mobile payments being processed through legitimate Zero Score - ZeroScore™ Transaction Laundering merchant accounts. It also reveals related and Detection service is a solution that will work without unreported mobile applications, URLs, payment being tightly integrated with the acquirer or payment environments and provides the tools to manage facilitator and seamlessly detect Transaction risk on an ongoing basis. laundering. It monitors user behavior and traffic flow together which when passed through highly developed algorithms alerts the acquirer or payment facilitator of possible Transaction laundering in real DATABASE & WEBSITE ANAYTICS BASED time. This solution is used by MasterCard. ControlScan SiteWatch (EverCompliant’s US partner) - SiteWatch not only detects content violations on reported websites, but also helps detect G2 Transaction Laundering Detection – This is a unreported and unauthorized URLS associated with service that combines data, technology and expertise. Trustwave’s Transaction Laundering Detection – It known merchants. It helps in assessing merchants, It has a database called Merchant Map™ with 11 years helps acquirers, banks, payment processors, ISOs ongoing review of existing merchants, detecting web of data on merchants and criminals. It also has tools closely monitor their merchant websites for illegal presence for merchants with no reported websites that run analytics on transactions, website and traffic activities. It doesn’t just examine the merchant’s and special investigations. Its solution is cloud-based and a group of data scientists and analysts who verify transaction summary or the site’s URL and SSL with a SaaS delivery model. It has a partnership with violations, and continually identify patterns and fine configurations but also keywords, language and EverCompliant. tune detection methods. images on the site.

Exhibit 2: Products in the Market

Merchant acquirers and major card brands do not come under the same regulatory purview as regular banks do. However, this blind spot is now being misused by criminals. There is a definite cost involved in implementing sophisticated monitoring and analytics engines. However, payments industry can actually benefit society in a much larger way if they actually start reporting suspicious activities while also improving their reputation in a proactive manner.

At the same time, there is an equally important role for the regulatory bodies to play in determining the manner in which directives are followed and the consequences to the perpetrators when caught, thus closing the loop of arresting transaction laundering.

Kasturi Chattopadhyay nce Practice, Financial Services Domain Consulting Group, Infosys Global Delivery Partner, Financial Services Application Development & Maintenance, Infosys Limited Kasturi has over 18 years of delivery and consulting experience in the financial services industry. Currently she is the Global Delivery Partner for a key client of Infosys. Until recently, she headed the Financial Services Risk and Compliance practice for the Americas in the Infosys’ Domain Consulting Group. Over the years, she has worked with several financial institutions to identify the pain points, and architect transformation programs and projects that involved both business process transformation and product/ technology assessment & implementation - in the areas of financial crime management (AML and fraud), regulatory compliance, and enterprise risk. She has also helped financial institutions adopt new-age paradigms such as robotic process automation, artificial intelligence, and machine learning.

References http://www.acfcs.org/news/307150/Merchant-based-money-laundering-part-1-Phantom-Shipments.htm https://www.acfcs.org/news/328136/Merchant-based-money-laundering-part-2-Prepaid-gift-card-smurfing.htm http://www.lexology.com/library/detail.aspx?g=972e73e4-a663-4aff-a38a-5053b457a23f http://evercompliant.com/transaction-laundering-new-advanced-form-money-laundering/ http://zeroscore.com/PDF/ZeroScore_TLD.pdf https://www.g2webservices.com/cleaning-out-transaction-laundering/ https://www.g2webservices.com/acquiring/g2-portfolio-protection/transaction-laundering/ https://www.legitscript.com/wp-content/uploads/2016/07/LegitScript-Report-on-Chemist4U-Transaction-Laundering.pdf http://www.thepaypers.com/expert-opinion/transaction-laundering-101-what-banks-and-msps-should-know/767506 http://controlscan.com http://finance.yahoo.com/news/controlscan-helps-shed-light-emerging-130000347.html https://ftalphaville.ft.com/2017/03/17/2186157/why-transaction-laundering-is-turning-into-a-huge-financial-blindspot/ http://www.pymnts.com/exclusive-series/2015/what-banks-and-processors-must-know-about-transaction-laundering/ https://www.linkedin.com/pulse/new-age-money-laundering-nadja-van-der-veer https://www.linkedin.com/pulse/new-age-money-laundering-2-nadja-van-der-veer?published=t https://www.iconfinder.com/icons/332100/buy_e-commerce_ecommerce_laptop_macbook_market_mouse_online_shop_online_store_ order_purchase_shopping_store_web_shop_web_store_icon https://www.boundless.com/sociology/textbooks/boundless-sociology-textbook/deviance-social-control-and-crime-7/the-symbolic- interactionalist-perspective-on-deviance-64/differential-association-theory-381-8939/ https://financesonline.com/15-popular-payment-gateway-solutions-one-best/ www.psdgraphics.com

or more information, contact askusinfosys.com

1 Infosys Limited, engaluru, India. ll Rights Reserved. Infosys believes the information in this document is accurate as of its publication date such information is subect to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and or any named intellectual property rights holders under this document.

Infosys.com SE I Stay Connected